Re: Xitami Webserver stores admin password in clear text.

From: Larry W. Cashdollar (lwcat_private)
Date: Wed Nov 28 2001 - 06:52:42 PST

Next message: Support Info: "Security Update [CSSA-2001-041.0] Linux - Vulnerability in wu-ftpd"

Previous message: Roman Drahtmueller: "SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)"
In reply to: Tom Micklovitch: "Re: Xitami Webserver stores admin password in clear text."
Next in thread: Bernd Luevelsmeyer: "Re: Xitami Webserver stores admin password in clear text."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 27 Nov 2001, Tom Micklovitch wrote:

> This is a known issue, and certainly on windows versions on Xitami, you actually have to create
> the file defaults.aut yourself, as in, actually type in it's contents.

I know it is, its in the FAQ mentioned on the xitami website and
referenced in my advisory, that is why I released a little early.

> But you are correct - it would be nice if it was encoded somehow.
>
> A more worrying issue is the fact that defaults.aut is world readable AND writable, hence if you
> have shared the drive it's on, anyone on the local network can simply replace it with their password.

I only tested on Linux, and in my installation defaults.aut was world
readable but not world writeable.   I did notice that the development
version 2.5b5 that the default.aut file was group writeable as well.

-- Larry

Next message: Support Info: "Security Update [CSSA-2001-041.0] Linux - Vulnerability in wu-ftpd"
Previous message: Roman Drahtmueller: "SuSE Security Announcement: wuftpd (SuSE-SA:2001:043)"
In reply to: Tom Micklovitch: "Re: Xitami Webserver stores admin password in clear text."
Next in thread: Bernd Luevelsmeyer: "Re: Xitami Webserver stores admin password in clear text."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Nov 28 2001 - 16:14:53 PST